Three Businesspeople Gathered Around Monitor

Examiners are pressing the leadership of financial institutions to strengthen cybersecurity to address the growing threat from hackers.

Preventing Cybercrime

A Six-Point Plan for Strengthening Cybersecurity in Financial Institutions

  • John Moeller
  • 4/22/2015

Few are surprised to hear that federal and state regulators are pressing financial institutions on cybersecurity planning, readiness, and oversight. After all, there has been plenty of warning that a higher level of scrutiny was coming, beginning with a 2013 presidential executive order on improving the nation’s cybersecurity infrastructure, and most recently, the Federal Financial Institution Examination Council’s (FFIEC) pilot examination program last summer.

All of this activity is now filtering down to the local level and surfacing as questions posed by IT examiners.

  • Board members are meeting one on one with examiners, who want to know how the board is providing oversight, and ongoing risk monitoring.
  • Examiners are asking senior management about how the institution is educating board members on cybersecurity risks and the changing threat landscape.
  • Management is being asked to develop a comprehensive cybersecurity policy that includes incident detection and a response plan.

Responding to these inquiries can be a challenge, even for institutions that view themselves as being up-to-date on the latest cybersecurity threats and defenses. But the threats are always changing and they are clearly not going away. As examiners continue to raise their expectations, senior management and the board of directors must take a more comprehensive and proactive approach to cybersecurity.

Following is a six-point framework that can help your financial institution recognize its current risks, strengths, and weaknesses related to cybersecurity, and develop detailed policies and plans. It is based, in part, on the questions that examiners are asking financial institutions. These actions invariably carry a price tag and they cannot all be done at once, so it is important to set priorities and budgets early in the process.

1. Update your information security program to address cybersecurity

  • Develop a cybersecurity framework that is appropriate for your institution’s risk profile
  • Create necessary cybersecurity policies and guidelines
  • Develop a strategic information security plan in sync with your strategic technology plan
  • Provide cybersecurity training to key staff
  • Update job descriptions that have cybersecurity responsibilities
  • Create and maintain a cybersecurity risk assessment
  • Identify all third-party connections to your network and the location of sensitive information on the network, in the cloud, or offsite

2. Expand information security controls

  • Develop configuration standards for all devices attaching to the network; follow vendor hardening guides and/or create baseline configuration standards and policies
  • Identify new vulnerabilities and threats
  • Schedule regular cybersecurity reports (i.e., event logs, firewalls, cyber incidents)

3. Enhance network security (hardening)

  • Review administrator account management (normal and privileged)
  • Remove local administrative rights
  • Review domain administration restrictions
  • Require strong passwords and implement password management
  • Implement internal network multifactor authentication and encryption
  • Research and deploy email hardening
  • Create website white lists

4. Upgrade third-party vendor and customer management

  • Add recommended cybersecurity language to agreements and contracts
  • Obtain an independent review of service provider cybersecurity controls (i.e., Statement on Standards for Attestation Engagements (SSAE) 16, FFIEC IT review, IT audit, internal and external penetration testing)
  • Conduct a risk assessment for online cash management customers
  • Require cash management customers to obtain the appropriate level of cyber liability insurance

5. Strengthen management and board oversight and cybersecurity governance

  • Initiate cybersecurity framework implementation
  • Provide regular cybersecurity board reports
  • Develop cyberrisk management policies
  • Share threat intelligence through organizations such as the Financial Services Information Sharing and Analysis Center
  • Develop and deploy a cybersecurity incident response plan

6. Enhance cybersecurity testing

  • Conduct external penetration tests that mimic the real world techniques of cybercriminals
  • Conduct internal network penetration tests to look for configuration weaknesses, unsecure network file shares, and data leakage

How we can help

Remember that these points are only a framework — a broad look at starting points or extensions of your existing policies and processes. Determining the specific elements and timing for your institution begins with a risk and vulnerability assessment. We can then help you manage threats in line with the complexity and risk profile of your institution.

  • John Moeller
  • Principal